OSS BLOG

picoCTF 2018 recently ended on October 12, 2018 so we wanted to do a small writeup on different challenges we saw when competing in the event.

Challenge Name: Client Side is Still Bad

This was an easy challenge that was in some way design to warm up the participants to some of the web concepts. When you go to the website, you will see a basic looking web login form. The "trick" to find the challenge flag was associated with the challenge name itself. Client-Side refers to language either JS or HTML that is rendered client side. So in this case, once we go to the client side source of the website with view-source:view-source: http://2018shell2.picoctf.com:53990/ we can see the flag on the JS portion of the site:

Javascript function verify() that has the flag.

Challenge Name: Logon

This was another simple challenge to start on the web exploitation section. In this case, we are presented with a login page that allows logging in as any user except Admin. When we put the username admin it shows an error text and states that the admin account is "super secure":

Error when the username is admin.

Once we login as any other user, we decided to see how the website checked if a user was an admin or not. In a web app this can be done through multiple ways however the two most common are: session check through internal session variables, permission check through cookies (really insecure). In this case, the website was using the later option. Checking user permission level through cookies are highly insecure because cookies can be modified in client-side. In this case, we changed the cookie admin to have the value True and refreshed the page which gave the flag.

Flag after changing admin to True.

Challenge Name: Flaskcards

Originally, when I looked at this web application, I could not make much sense of it. This application allowed users to create flash cards and save them. I first looked at common vulnerabilities like SQL Injections however none of them gave any results. Suddenly, I noticed that the challenge name was Flaskcard not Flashcard. This gave a major hint to solve this challenge. Flask is a widely using framework for writing web applications in Python. Even though Flask is a good framework, lack of proper sanitation can lead to executions of scripts. This vulnerability is called Server-Side Template Injection (SSTI). You can learn more about Flask SSTI here: https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html.

In the same blog, we can also learn about pulling config information through SSTI. To check out if the web app was vulnerable, I put {{ 2*2 }} as the question of the flash card. If this was vulnerable, the website would return 4 which is the result after mathematics calculation of 2 times 2. As expected, the website returned 4. Next, to grab environment variable, I tried {{ config.items() }} which dumped the config variable along with the flag.

Challenge Name: HEE_JohnnyThis challenge was a basic password cracking challenge. The hint of this challenge are in the title and the hint section itself. Johnny is a common way to refer to a common password cracking tool called John the Ripper.

When we start the challenge, we are presented with a passwd and shadow file. Shadow file usually contains the encrypted password of users in the system. Now, if we do a quick lookup on cracking shadow through John, we find that John accepts file that are created through the unshadow command. Unshadow requires passing shadow and passwd files. It then combines them to create a new passwd file. For this, we do so by unshadow passwd shadow > new_passwd. Once this is done, we need to get a wordlist for John. As the challenge suggests, rockyou.txt is the best option for this. Then, we run this command through john -w=rockyou.txt new_passwd . We then get the flag picoCTF{J0hn_1$_R1pp3d_289677b5} after logging into the server

That is about it for a blog about some of the challenges we solved in this CTF. We solved more challenges but these were some easy to solve and challenges that are common in CTFs. Hopefully you liked it. Leave us a comment!

Check us out on YouTube for Web Security videos: https://www.youtube.com/channel/UCk2-UWhBkJFs-GcgLUywNJA​